Data Protection & Privacy Statement
Effective Date: June 2026
1. Our Commitment to Data Protection
At Bright Outcomes Alternative Provision, we are committed to protecting the privacy and personal data of all young people, families, and professionals we work with.
We comply fully with:
• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• The Human Rights Act 1998
• Relevant safeguarding and education legislation, including Keeping Children Safe in Education (KCSIE)
We process all personal data lawfully, fairly, and transparently, ensuring it is used only for legitimate educational, safeguarding, and administrative purposes.
2. Data Controller
SENDsible Ltd acts as the Data Controller for the personal information we collect.
Data Controller Contact:
Andi Hillman
SENDsible Ltd
Email: hello@sendsible.co.uk
3. What Information We Collect
We may collect and store:
• Personal details (e.g., name, address, date of birth, contact information)
• Education and attendance records
• Safeguarding and wellbeing information
• Family and emergency contact details
• Medical or learning needs (where relevant to education or safety)
• Communication records and progress data
• Staff and professional contact details
We collect only the information necessary to deliver our services safely and effectively.
4. How We Collect Information
We collect personal data directly from:
• Parents, carers, or young people
• Schools, local authorities, or referring professionals
• Partner agencies (e.g., social care, health services)
We may also generate data internally through progress records, attendance monitoring, or safeguarding processes.
5. Lawful Bases for Processing Data
We process personal data under one or more of the following lawful bases (Article 6 of UK GDPR):
• Public task: to perform our duties in the public interest or under official authority (e.g., providing education and safeguarding services).
• Legal obligation: to comply with safeguarding, health, or education law.
• Consent: where we ask for and receive your permission (e.g., use of photographs, testimonials).
• Contract: to deliver services agreed with schools or local authorities.
• Vital interests: where data is needed to protect someone’s life or safety.
For special category data (e.g., health or safeguarding information), we rely on additional lawful bases under Article 9(2) of the UK GDPR, particularly:
• (g) substantial public interest, and
• (h) health or social care purposes.
6. How We Use Your Information
We use personal data to:
• Deliver and monitor education, pastoral care, and support
• Safeguard and promote welfare
• Communicate with families, schools, and professionals
• Manage attendance, assessments, and progress
• Fulfil statutory reporting and examination requirements
• Meet contractual and legal obligations
We never sell personal data or use it for marketing without consent.
7. Systems and Data Security
We use secure, GDPR-compliant systems to store and manage data, including:
• Microsoft Teams – secure communication and collaboration
• DC Pro – tracking academic progress and attendance
• Evidence for Learning – recording educational progress and achievements
• Bubble platform – encrypted internal management systems
• AWS (Amazon Web Services) – hosting and data storage infrastructure
All systems use encryption in transit (HTTPS/TLS) and encryption at rest, with password-protected and role-based access for authorised staff only.
8. Sharing Information
We may share information securely and lawfully with:
• Schools, local authorities, and referring agencies
• Health, social care, or safeguarding professionals
• Examination boards and awarding bodies
• Regulatory bodies (e.g., Ofsted, Local Authority Designated Officer)
We only share the minimum data necessary and ensure information is transferred securely.
Where required, we have Data Sharing Agreements or Data Processing Agreements (DPAs) in place with these organisations.
9. International Data Transfers
We do not routinely transfer data outside the UK.
If any system (such as Microsoft or AWS) processes data overseas, it is done under UK-approved adequacy regulations and standard contractual clauses to ensure equivalent protection.
10. Data Retention
We keep personal data only for as long as necessary to meet legal, contractual, or safeguarding requirements.
Retention periods are set out in our internal Data Retention Policy, which aligns with statutory education and safeguarding guidance.
After the retention period, data is securely deleted or destroyed.
11. Your Rights
Under the UK GDPR, you have the right to:
• Access the personal data we hold about you
• Request correction of inaccurate information
• Request deletion (the “right to be forgotten”)
• Restrict processing in certain circumstances
• Object to data processing based on specific grounds
• Request portability of data to another provider (where applicable)
To exercise any of these rights, please contact our Data Protection Lead.
If you are unhappy with our response, you have the right to contact the Information
Commissioner’s Office (ICO):
4Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
12. Updates to This Statement
We review this statement annually or sooner if legislation or our data processing practices change.
The latest version will always be available on our website.